[unisog] MS-SQL Zombie DDoS

John Valenti valenti at msu.edu
Tue Jan 28 04:58:11 GMT 2003

My desktop system was hit over the weekend. I tried your suggestion below
and got back:


Does count as accessible to the Internet?

Oh, I'm pretty sure my problem was caused by Sitekeeper. I downloaded a demo
version of that a few months back. I ran Windows Update as recently as last
week and it didn't warn me about the MSDE bug.

John Valenti, Systems Analyst SLIR, Michigan State University

----- Original Message -----
From: "cam {Cam Beasley, ISO}" <cam at forum.utexas.edu>
To: <unisog at sans.org>
Sent: Monday, January 27, 2003 1:23 PM
Subject: RE: [unisog] MS-SQL Zombie DDoS

> %>More MSDE2000 apps that are potentially vulnerable (not certain
> %>that all are network aware)..
> %>
> %><http://sqlsecurity.com/DesktopDefault.aspx?tabindex=10&tabid=13>
> Many of the MSDE applications do not open ports to the network
> interface, only to localhost. I don't think that these apps
> are vulnerable to attack -- unless super weird internal
> bridging from private ==> public occurs.
> If the originating address ( in this case below)
> is not accessible to the Internet, then there shouldn't be a
> risk of infection..  If the IP is public, then yes..
> Folks can check their Windows systems to see whether
> any MSDE apps are vulnerable. From the command line, type
>    netstat -an | find "1434"
> If port 1434 is open, the response will be something along the
> lines of:
>    UDP         LISTENING
> Otherwise you'll just get the command prompt back again.
> ~cam.
> Cam Beasley
> ITS/Information Security Office
> The University of Texas at Austin
> 512.475.9242

More information about the unisog mailing list